Hello all!
We have the following use case: we need to deactivate an account when all its entitlements are removed, we have tried using workflows but we are not clear what the trigger should be.
Has anyone done this, how did you solve it?
Thanks in advance
Regards
Option 1: Using Before Provisioning rule. Check if the operation is to remove entitlements, get all current entitlements for the specific account and compare the list with the entitlements being removed. If they all match (meaning after this specific provisioning process account will not have any entitlements) then change Account Request operation to Disable
Option 2: Using a Workflow that triggers on Provisioning Completed for the specific source with additional filters to ensure the workflow is triggered only when the provisioning process was to remove the entitlements. Inside the workflow get the list of entitlements and check if an entitlement exists under the specific source. If not, call Disable Account API
Option 3 (maybe, untested): Identity Attribute, Transform and workflow trigger
Identity attribute: Entitlement counter of a source account (e.g. an AD Account)
Transform: Static, velocity. Loop & count(Identity, get link, get entitlements)
Workflow trigger: On attribute’s new value = 0.
This covers out-of-band entitlement changes, regardless of whether ISC made the last entitlement deprovisioning or not. (i.e. It’s not provisioning based, but more of an on-going enforcement)
probably a search query to find those accounts and then subscribe to that trigger and then use workflow to disable those accounts.